Risks of Using Weak Passwords

(Why you should use passwords and access rights separation)

Modern life makes it more and more difficult to get along without using a computer—both at work and at home. In the first case, you use various terminals, databases, and multiuser services; in the second case, there are personal pages and blogs, forums and social networks, and communication by means of Internet pagers and voice and video chats. In both the cases, passwords are necessary. But what are they useful for? First, they are useful in restricting access to confidential, secret information and personal user data.

All the employees in an organization's corporate network have their own access rights to any information: the rights to read, execute, write in, and delete certain files. So, the restriction of access rights using a combination of the user's logical name (login) and password ensures that no malicious users, or users who do not—and should not—know this password, are able to access the data.

The same problem can occur when the user opens a personal page or a blog on the Internet, checks E-mail, or starts a message exchanger or chat. Anyway, the service identifies the user by the entered login and password. However, this ensures enough safety because the password is known only to the user. On the other hand, the password can still be cracked or obtained by malicious persons using smart methods. Besides, the number of different services still grows and it becomes harder and harder to remember dozens of different passwords.

Many users, when they are asked, “do you choose your password carefully?” will answer with another question: “What for? How can a hacker be interested in the information or e-mails related to an ordinary Internet user like me, who is the same as thousands of other users?” This is the main reason for selecting simple or so-called “weak” passwords for signing in to a service.

According to the statistics, the theft of personal data and passwords by professional hackers generates a little more than one percent of the total compromise of passwords. The portion of friends and persons close to the password owner that may intentionally find the password to joke with or frighten the user by getting access to his/her personal correspondence or simply spotting it by chance forms another ten to eleven percent. About twenty-five percent of thefts are the cases of intentional password discovery attempts to steal personal data, but they are performed by similar ordinary users, and not professionals. Spam networks that crack user accounts to distribute spam constitute the rest of the cases (in the days of publication of the present paper it was about 63–64%).

(Why you should not choose weak passwords and how they are cracked)

So, what are “weak” passwords and why is their use not recommended? A “weak” password is a password containing information about the user or a common and often used word. Such passwords can be both easily cracked and determined by malicious users without using any special software.

A password is any valid sequence of characters, which is often the only means for a system or service to identify a user. This means that any other person who knows the password can easily use it to login and enjoy all the permissions the user has. The password can be figured out by various methods. They include recognition (social engineering, key-loggers, spyware and various tracing methods); selection (according to a frequency dictionary, by syllables, or using various word creation rules); and the brute-force method or exhaustive search.

Recognition is the simplest method, but at the same time, it is not always available. Any person near the user entering the password can find it. Alternatively, a special program—the key-logger that traces all key presses—can be installed on the users' computer in advance (there are also exists a number of hardware key-loggers). By analyzing the log created by such a program, you can find out all the operations performed by the user during the working session and discover his/her passwords with pinpoint accuracy. The same result can be produced by video surveillance. Often, only one condition makes it impracticable to use this method: the hacker can neither be in close proximity to the user nor have access to his/her workstation.

Social engineering is applicable when it is already known that the user has created a “weak” password to log into the account. Many users use their names or the names of friends, parents, or children, the nicknames of pets, or the names of any memorials to create passwords. Often, one can collect such information and figure out the required password simply by trying different combinations. In addition, many Internet services allow the user to the change password using a special question with an answer specified during sign-in. In this case, one can learn the correct answer, for example, from a private conversation, and then change the password for the mailbox without the permission and consent of its owner.Social engineering can also include simply gaining a user's confidence by pretending to be a project administration or technical support member, imitating some technical problem during the user's access to the computer, and then helping the user eliminate it. In other words, you have to force the user to voluntarily give you his/her credentials. The situation is funny but true: this method is used very often and is still effective.

Social engineering can also include simply gaining a user's confidence by pretending to be a project administration or technical support member, imitating some technical problem during the user's access to the computer, and then helping the user eliminate it. In other words, you have to force the user to voluntarily give you his/her credentials. The situation is funny but true: this method is used very often and is still effective.

If social engineering does not work, but you think that the user has set a “weak” login password, the use of special password cracking programs will do. Such programs contain voluminous dictionaries of the most commonly used words and find the required word through a linear search. Thus, the passwords consisting of one “normal” word can often be cracked quickly.

With “strong” passwords that are created according to certain rules and are lengthy enough, the contrary is true. They are sufficiently crack-resistant and cannot be figured out by using only a frequency dictionary. If the password contains digits and/or special characters in the middle of the word, a dictionary search will produce no results for the hacker. Only searching for all possible variants of the password will help. This method is known as the brute force method. It guarantees the successful cracking of the password if you have enough time. But, a long and crack-resistant password may take years (or sometimes dozens and even hundreds of years on the currently available technologies *) of continuous searching. During this time, the user will change the password again and again. And even if the hacker gets it, the password may turn out to be outdated.

At this point it might be necessary to mention that the speed mainly depends on the technologies used. Passwords that were expected (only few years ago) to take centuries to find out can now be cracked in several hours or even minutes (ref: cuda, cloud servers, and rainbow tables). So the two primary success factors are still the time and the access to specialized resources. For example, some researchers/hackers build a powerful super computer from a number of game consoles, another one makes s super-claster from a set of video cards, the third one simply rented a powerful cloud, and the fourth has probably infected few thousands of home users with Trojans and built a Bot-net. These are examples of how the efficiency of each system directly depends on the availability of resources such as money, time, and the competency/skills of the people involved.

(Risk associated with complicated password)

However, it is may also be recommended not to choose a lengthy or unmemorable password as well. The reason is simple, if you forget it and have no possibility of being able to reset or change it, you will have to use a password-cracking software yourself! The basic rule for setting a password is rather contradictory: the password must easily stay in the owner's memory, but at the same time, it must be too complicated to be cracked by automatic search and selection.

Many users, in their attempts to create the right password, make it so tricky that they cannot remember it and have to write it down. Many users store the password somewhere on a piece of paper that is easily accessible near the computer or in a file placed directly on the desktop or a top-level folder. So, any person close to or having access to the computer can easily find it, and, if desired, use it directly or terrify its owner by claiming the fact that his/her access code is known, especially when the password change occurs in several stages or requires some time.

So, any password, however long or tricky it may be, must be easy to memorize and keep safe. Passwords that consist of several words “diluted” by digits, the first several letters of each poem's line, or simply the combinations of letters and digits, which are clear and logical to the password's author and represent a set of unrelated characters to others, are the least attackable and memorizable passwords.

As mentioned more than once earlier, the two main characteristics of any code are its length and the number of alphabetic characters used. Anderson's formula is often mentioned: the time for a password search by the brute force method is less than or equal to the number of alphabetic characters and special symbols used in the password raised to the power of the password length and divided by the speed of the password search per unit time.

Verbally, it can seem too confusing, but is much simpler in practice. For example, take a six-character password consisting of uppercase and lowercase letters of the Latin alphabet as well as digits and a program capable of searching through 10 million passwords in a second. The Latin alphabet for each case contains 26 signs, making them 52 in total. By accounting for digits from 0 to 9 (ten more positions), we get 62. So, for each character of the password, there are 62 variants with one correct variant among them. For the total number of searches, raise this number to the power of the password length; in this case, it is 62 raised to power of 6 or nearly 57 billion (to be more exact: 56800235584). Let's divide this number by 10 million, and we get 5680 seconds or almost 95 minutes. So, even for a six-character password, the search will take more than one hour at a search speed of 10 million variants a second.

For different situations, services, and programs, the password search speed is obviously different. But, note that Anderson's formula has no equality sign. It has the “less than or equal to” sign instead. This is because the password can be found during an unconditioned search in the first billion combinations or in the last one. And nobody can guarantee that a password of the type “aaaaaaaa” or “zzzzzzzz” will not be found at once. The time calculated using the formula is the complete period during which the password will surely be found; in practice, the real time will always be less than the calculated time.

It is often recommended that punctuation marks, brackets, or special characters be used in passwords. Certainly, they increase the cracking resistance of the password, but at the same time, they are inconvenient for the user. First, not all Internet services accept special symbols in the password. Second, such passwords may be more difficult to remember because you cannot “pronounce them mentally.” Third, sometimes you need a keyboard with a non-standard layout. In this case, the input is hampered and finding the right character takes more time. In addition, the password resistance increases more quickly with an increase in length because you deal with the power function.

This paper discussed the risk of using weak (or over-complicated) passwords from strictly the user’s perspective - “What people do with passwords?”